[Samba] Samba 4, Winbind & RFC2307

Andrew Bartlett abartlet at samba.org
Sun Dec 23 13:27:33 MST 2012 

On Sun, 2012-12-23 at 14:40 +0100, "Dr. Hansjörg Maurer" wrote:
> Hi
> 
> Am 16.12.2012 23:06, schrieb Andrew Bartlett:
> > On Sun, 2012-12-16 at 16:51 -0500, Thomas Simmons wrote:
> >> Hello Andrew,
> >>
> >>
> >> If functionality is not there, I certainly understand and can work
> >> around it. I just want to make sure I am not misunderstanding
> >> something.
> >>
> >>
> >> When you say I should set "idmap_ldb:use rfc2307=yes" in smb.conf on
> >> the DC, do you mean that by doing so I can use winbind (and the
> >> rfc2307 attributes) for *nix authentication on the DC? I am confused
> >> because I already have "idmap_ldb:use rfc2307 = yes" in my smb.conf
> >> (it gets added automatically with the classicupgrade and I always
> >> provision my "clean" test setup with "--use-rfc2307"). That actually
> >> works fine - the rfc2307 attributes are there and I can modify them in
> >> ADUC. If I configure the server to use NSS+LDAP for authentication, my
> >> users's uid number, gid number, shell, etc are what I have specified
> >> in ADUC. When I try using winbind, it is not using the rfc2307
> >> information from AD. 
> > That's odd, but remember that only the UID and GID values will be used
> > (not the shell or homedir, which is handled in a different bit of the
> > code).  However, your output below clearly shows that isn't
> > happening :-(
> 
> I got it working with 4.0.0 with some manual interaction
> Steps to reproduce:
> - add a user to a domain provisioned with --use-rfc2307
>   samba-tool user add testuser
> - add a group testgroup to the domain
> - set unix attributes with MMC for user and group
> - put user into windows group using MMC and assign testgroup as windows
> primary group (not under unix attributes)
> - set   idmap_ldb:use rfc2307=Yes in smb.conf
> 
> Like reported before,  the user and the group did not show up in getent
> passwd and getent group with the uid and gid set in MMC but with a
> random number
> 
> testgroup:*:3000022:                                                                                                                                
> 
> S4HJ\testuser:*:3000013:100::/home/testuser:/bin/bash                                                          
> 
> 
> 
> If I do a
> 
> ldbedit -e vi -H /etc/samba/sam.ldb
> 
> and manually add
> objectClass: posixGroup
> to testgroup
> and
> objectClass: posixAccount
> to testuser
> 
> it works fine
> [root at merlot samba-4.0.0]# getent passwd testuser
> S4HJ\testuser:*:10000:10001::/home/testuser:/bin/bash
> [root at merlot samba-4.0.0]# getent group testgroup
> testgroup:*:10000:
> [root at merlot samba-4.0.0]# id -a S4HJ\\testuser
> uid=10000(S4HJ\testuser) gid=10001(testgroup2)
> Gruppen=10001(testgroup2),100(users),10000(testgroup)
> 
> Is ther a way to add this objectclass automatically?

Please file a bug, so it isn't lost over the Christmas season, but
clearly I need to change the code not to rely on posixAccount and
posixGroup.  The steps you performed are reasonable, and while we can
improve our tool to add that objectClass, if AD isn't adding it using
the standard GUI tools, we shouldn't require it either. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list